uBlock Origin currently blocks all CSP from being sent by a website if any tracking script is blocked such as Google Analytics which is used by a lot of websites. CSP allows website admins to determine what content gets loaded on webpagea (JS, CSS, iframes etc.) thus preventing XSS like attacks and also report any hacking attempt to the admins.

Security experts have raised issues regarding this as it makes the website vulnerable by admins not getting reports of such hacking attempts. While some uBO users agree with it blocking these CSP reports saying it protects their privacy.

Some prominent security researches such as Troy Hunt and Scott Helme (he raised the issue on GitHub) got into a banter with uBO developer Raymond Hill (gorhill) over this issue on Twitter and raised concerns that an extension used for security in the first place was weakening it.

uBO's answer to blocking all CSP when a tracking script is blocked is that the tracking script may have triggered the CSP and uses a unilateral approach.

I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.

No, it blocks CSP reports (info sent to a remote server, possibly 3rd-party), only when they are deemed spurious. This disinformation has to stop. CSP directives set by web sites are never ever relaxed by uBO.

@Lanik That is why I asked for this subforum to be created. I do not closely follow the GitHub repositories and events like these slip by. I am pretty sure many usual uBO users missed this news as well.

This forum would serve well for news like this especially if users post news such as this often.

@gorhill@Lanik I see that an option has been added to uBO for enabling/disabling blocking of CSP reports in the latest public release of 1.14.18. The fact that its also disabled by default puts a complete end to the security debate. Cool.